# Cloudflare DNS → Nginx Proxy Setup

## ✅ Configuration Complete

All DNS records now point to the **Nginx Proxy only** (never exposing backend IPs).

## 📋 Architecture

```
Internet → Cloudflare → Nginx Proxy (20.160.58.99) → Backend Services
```

- **Never expose backend IPs** (10.1.1.4-10.5.1.4) directly
- **All traffic** goes through Nginx Proxy
- **Cloudflare** handles SSL termination (for proxied records)
- **Nginx** routes to appropriate backend services

## 🔧 DNS Configuration

### Proxied Services (through Cloudflare SSL)
- `explorer.d-bis.org` → Nginx Proxy (port 4000 → Blockscout)
- `besu.d-bis.org` → Nginx Proxy (port 8545 → Besu RPC)
- `blockscout.d-bis.org` → Nginx Proxy (port 4000 → Blockscout)
- `monitoring.d-bis.org` → Nginx Proxy
- `wallet.d-bis.org` → Nginx Proxy
- `d-bis.org` → Nginx Proxy
- `www.d-bis.org` → Nginx Proxy

### Direct Services (not proxied by CF, still via Nginx)
- `rpc.d-bis.org` → Nginx Proxy (direct IP, no CF proxy)
- `metrics.d-bis.org` → Nginx Proxy
- `api.d-bis.org` → Nginx Proxy
- `docs.d-bis.org` → Nginx Proxy
- `grafana.d-bis.org` → Nginx Proxy
- `prometheus.d-bis.org` → Nginx Proxy
- `tessera.d-bis.org` → Nginx Proxy
- `ws.d-bis.org` → Nginx Proxy

## 🚀 Usage

### Update DNS Records

```bash
# Update all DNS records to point to Nginx Proxy
./scripts/cloudflare/update-dns-to-proxy.sh
```

This script:
- ✅ Reads Cloudflare secrets from `.env`
- ✅ Updates all DNS A records to Nginx Proxy IP
- ✅ Removes duplicate records
- ✅ Never exposes backend IPs

### Verify DNS Configuration

```bash
# Verify all records point to proxy
./scripts/cloudflare/verify-dns.sh
```

## 📝 Environment Variables

Required in `.env`:

```bash
CLOUDFLARE_ZONE_ID="your-zone-id"
CLOUDFLARE_ACCOUNT_ID="your-account-id"
CLOUDFLARE_API_TOKEN="your-api-token"
CLOUDFLARE_DOMAIN="d-bis.org"
NGINX_PROXY_IP="20.160.58.99"
```

## 🔒 Security

- ✅ **No backend IPs exposed** - All traffic through proxy
- ✅ **Cloudflare SSL** - For proxied services
- ✅ **Nginx routing** - Internal service routing
- ✅ **Single entry point** - Centralized access control

## 🔄 After DNS Update

1. **Wait 1-5 minutes** for DNS propagation
2. **Verify records**:
   ```bash
   dig explorer.d-bis.org
   dig besu.d-bis.org
   ```
3. **Test endpoints**:
   ```bash
   curl -I https://explorer.d-bis.org
   curl -X POST http://besu.d-bis.org:8545 \
     -H "Content-Type: application/json" \
     -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
   ```

## ⚠️ Important Notes

- **Never expose backend IPs** (10.1.1.4-10.5.1.4) in DNS
- **All services** must be accessible via Nginx Proxy
- **Nginx config** must route hostnames to correct backend services
- **Update Nginx** if adding new services